Does pfSense support Intel QuickAssist 8970 card? IQA89701G1P5
-
Hi there,
I have a Dell R720XD with pfSense Plus 22.01 and I bought and installed a Intel QuickAssist 8970 (QAT) cryptographic driver to deal with VPN and HAProxy SSL offloading traffic.
When I try to detect the card and/or qat support following the official documentation, I can't confirm if it is running properly or not:
dmesg | grep qat
qat0: <Intel C620/Xeon D-2100 QuickAssist PF> mem 0xddc40000-0xddc7ffff,0xddc80000-0xddcbffff irq 48 at device 0.0 numa-domain 0 on pci7
qat0: insufficient MSI-X vectors (0 vs. 17)
device_attach: qat0 attach returned 6
qat0: <Intel C620/Xeon D-2100 QuickAssist PF> mem 0xddd40000-0xddd7ffff,0xddd80000-0xdddbffff irq 52 at device 0.0 numa-domain 0 on pci8
qat0: insufficient MSI-X vectors (0 vs. 17)
device_attach: qat0 attach returned 6
qat0: <Intel C620/Xeon D-2100 QuickAssist PF> mem 0xdde40000-0xdde7ffff,0xdde80000-0xddebffff irq 53 at device 0.0 numa-domain 0 on pci9
qat0: insufficient MSI-X vectors (0 vs. 17)
device_attach: qat0 attach returned 6The command "vmstat -i | grep qat" returns nothing.
I'd have this support enabled on System -> Advanced -> Miscellaneous -> Cryptographic Hardware as "Intel QuickAssist (QAT)" but looks like it is does nothing as well. Even with the module correctly loaded:
kldstat -v | grep qat
7 1 0xffffffff8432e000 146e0 qat.ko (/boot/kernel/qat.ko)
699 pci/qatThe OpenSSL also does not shows me the available ciphers:
/usr/bin/openssl engine -t -c
(rdrand) Intel RDRAND engine
[RAND]
[ available ]
(dynamic) Dynamic engine loading support
[ unavailable ]Could you guys please help me to understand if the pfSense+ 22.01 (FreeBSD 12.3) has support for this specific card?
-
Hmm, well the you can see the driver tries to attach to it bur fails so the PCI IDs must be expected.
This is what the driver actually supports currently:#define PCI_VENDOR_INTEL 0x8086 #define PCI_PRODUCT_INTEL_C2000_IQIA_PHYS 0x1f18 #define PCI_PRODUCT_INTEL_C3K_QAT 0x19e2 #define PCI_PRODUCT_INTEL_C3K_QAT_VF 0x19e3 #define PCI_PRODUCT_INTEL_C620_QAT 0x37c8 #define PCI_PRODUCT_INTEL_C620_QAT_VF 0x37c9 #define PCI_PRODUCT_INTEL_XEOND_QAT 0x6f54 #define PCI_PRODUCT_INTEL_XEOND_QAT_VF 0x6f55 #define PCI_PRODUCT_INTEL_DH895XCC_QAT 0x0435 #define PCI_PRODUCT_INTEL_DH895XCC_QAT_VF 0x0443
That particular device may not have been tested. Our own card uses the 8955 chip.
The error it shows implies it may simply be driver setting though I don't see anything here on a 6100:
[22.01-RELEASE][admin@6100.stevew.lan]/root: sysctl -a | grep qat irq305: qat0:341 @cpu0(domain0): 0 irq306: qat0:343 @cpu1(domain0): 0 irq307: qat0:345 @cpu2(domain0): 0 irq308: qat0:347 @cpu3(domain0): 0 irq309: qat0:349 @cpu0(domain0): 0 irq310: qat0:351 @cpu1(domain0): 0 irq311: qat0:353 @cpu2(domain0): 0 irq312: qat0:355 @cpu3(domain0): 0 irq313: qat0:357 @cpu0(domain0): 0 irq314: qat0:359 @cpu1(domain0): 0 irq315: qat0:361 @cpu2(domain0): 0 irq316: qat0:363 @cpu3(domain0): 0 irq317: qat0:365 @cpu0(domain0): 0 irq318: qat0:367 @cpu1(domain0): 0 irq319: qat0:369 @cpu2(domain0): 0 irq320: qat0:371 @cpu3(domain0): 0 irq321: qat0:373 @cpu0(domain0): 0 dev.qat.0.stats.sym_alloc_failures: 0 dev.qat.0.stats.ring_full: 0 dev.qat.0.stats.gcm_aad_updates: 0 dev.qat.0.stats.gcm_aad_restarts: 0 dev.qat.0.%parent: pci1 dev.qat.0.%pnpinfo: vendor=0x8086 device=0x19e2 subvendor=0x8086 subdevice=0x19e2 class=0x0b4000 dev.qat.0.%location: slot=0 function=0 dbsf=pci0:1:0:0 handle=\_SB_.PCI0.VRP2.PXSX dev.qat.0.%driver: qat dev.qat.0.%desc: Intel C3000 QuickAssist PF dev.qat.%parent:
OpenSSL cannot use it as an external engine like that anyway though.
Steve
-
@stephenw10 thank you so much for you help.
I have other two Intel QuickAssist 8950 cards that I'm going to test during this week. These other cards depends of additional power supply from the Dell riser and I just bought the power adapter to test them.
I guess that the drivers below will be compatible:
#define PCI_PRODUCT_INTEL_DH895XCC_QAT 0x0435
#define PCI_PRODUCT_INTEL_DH895XCC_QAT_VF 0x0443Do you think so?
Or pfSense Plus only supports this one from NetGate:
https://shop.netgate.com/collections/all-products/products/netgate-cpic-8955-cryptographic-accelerator-card-with-qat
-
Well if the PCI IDs match I would expect it to work. I would have expected that other card to work too though so it's hard to say without actually testing the hardware.
I can say for sure that the older Cave Creek based chipsets are not supported.
Steve
-
Or pfSense Plus only supports this one from NetGate:
pfSense plus comes with one driver that is supporting many
but not all cards and/or chips. If you get hands on a support
card (chip) it will running out of the box! Coding a driver means you should be also hands on a device or hardware
and such of the Intel QAT cards are often high in price!!!So if someone is coding that driver, that should be taking
care on all available QAT things on the market he should be sorted with money or hardware for doing this.Spend some money to the FreeBSD Project and/or support
coders with hardware for getting the maximum out.